Client Data Processing Agreement (DPA)

1. Preamble & Application

This Data Processing Agreement (“DPA”) is incorporated into the Master Services Agreement or Terms of Service (“Agreement”) between RoshanAI360 (“Processor”) and the Client (“Controller”).

This DPA reflects the parties’ agreement on the processing of Personal Information in connection with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Notifiable Data Breaches (NDB) scheme.

2. Definitions

  • “Controller” (Client): The entity that determines the purposes and means of the processing of Personal Data.
  • “Processor” (RoshanAI360): The entity which processes Personal Data on behalf of the Controller.
  • “Sub-processor”: Any third party (including affiliates) engaged by the Processor to process Personal Data.
  • “Personal Data”: Has the meaning given to “Personal Information” in the Privacy Act 1988 (Cth).

3. Roles and Responsibilities

3.1 Client (Controller) Obligations

The Client warrants that:

  1. It has a lawful basis for processing the Personal Data (e.g., consent or legitimate business interest).
  2. It has provided all necessary notices to Callers (Data Subjects) regarding the recording and processing of their voice data.
  3. It is responsible for the accuracy and quality of the Personal Data provided to the Processor.

3.2 RoshanAI360 (Processor) Obligations

RoshanAI360 shall:

  1. Process Personal Data only on documented instructions from the Client (i.e., to provide the AI Voice Service).
  2. Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality.
  3. Not use Personal Data for its own independent marketing or advertising purposes.

4. Security Measures

RoshanAI360 implements enterprise-grade technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption: Data at rest is encrypted (e.g., AES-256) and data in transit is encrypted via TLS 1.2 or higher.
  • Access Control: Implementation of strict role-based access control (RBAC) and Multi-Factor Authentication (MFA) for all personnel accessing the production environment.
  • Physical Security: Hosting data in Tier IV data centers (via our cloud providers) with 24/7 physical security.

5. Sub-Processors

5.1 General Authorization

The Client grants RoshanAI360 a general authorization to engage Sub-processors to provide the Services (e.g., OpenAI for LLM processing, Twilio/Vapi for telephony, AWS/Google Cloud for hosting).

5.2 Liability

RoshanAI360 remains fully liable to the Client for the performance of the Sub-processor’s obligations.

5.3 Notification of Changes

RoshanAI360 will maintain a list of current Sub-processors. We will provide notice of any new Sub-processors. The Client may object to a new Sub-processor on reasonable grounds related to data protection within 14 days.

6. International Data Transfers

The Client acknowledges that due to the nature of Generative AI and Cloud Computing, Personal Data will be transferred to and processed in jurisdictions outside of Australia (specifically the United States).

  • Consent: The Client consents to this transfer in accordance with APP 8.1.
  • Safeguards: RoshanAI360 ensures that international Sub-processors are bound by strict Data Processing Addendums.

7. Data Breach Notification (NDB Scheme)

In the event of a Data Breach affecting Client data, RoshanAI360 will:

  1. Notify: Notify the Client without undue delay (and in any event within 72 hours) after becoming aware of the breach.
  2. Assist: Provide the Client with sufficient information to allow the Client to meet any obligations to report to the Office of the Australian Information Commissioner (OAIC) or affected individuals.
  3. Mitigate: Take immediate steps to contain and remedy the breach.

8. Data Subject Rights

RoshanAI360 will provide reasonable assistance to the Client to respond to requests from individuals exercising their rights (e.g., requests to access or delete call recordings).

  • Since RoshanAI360 cannot verify the identity of a Caller, we will refer any direct requests from Callers back to the Client.

9. Audit Rights

  • Certifications: Upon request, RoshanAI360 will provide its latest security documentation or SOC 2/ISO certifications (if/when available) to demonstrate compliance.
  • On-Site Audits: Due to security risks, on-site audits are generally not permitted. If legally required, audits must be:
    1. At the Client’s sole expense.
    2. Conducted during business hours with 30 days’ prior notice.
    3. Subject to strict confidentiality undertakings.

10. Return and Deletion of Data

Upon termination of the Services:

  • RoshanAI360 will delete Customer Data after a standard retention period (e.g., 30 days) unless legally required to retain it.
  • Upon written request prior to termination, RoshanAI360 can provide a download of call logs/transcripts in a standard machine-readable format (e.g., JSON or CSV).

11. Government & Law Enforcement Requests

If RoshanAI360 receives a demand from law enforcement (e.g., a warrant for call recordings):

  1. We will attempt to redirect the agency to request the data directly from the Client.
  2. We will notify the Client of the request unless legally prohibited from doing so.

12. Limitation of Liability

Crucial Clause:

The liability of RoshanAI360 under this DPA (including for data breaches) is subject to the limitations of liability and liability caps set forth in the Master Services Agreement (Terms & Conditions). There is no separate or unlimited liability for data protection claims, except where prohibited by Australian law.

13. Governing Law

This DPA is governed by the laws of New South Wales, Australia, and the parties submit to the jurisdiction of the courts of that State.